RE: Comment Spam: new trends, failing counter-measures and why it's a big deal

["php0t" <very () unprivate com>]

> > the global solution against word recognition based challenges? If it

> > was like that, it would mean that there is no way anybody could make

> > an image generator that would change its success rate from 90% to 
> > 0%...

> It's *really* *really* difficult to produce a graphic image of letters
and numbers that is still recognizable to a human but can't 
> be beaten by a good edge-detection algorithm.  For instance, you can
"bleed" the edges so that they're fuzzy - but then the 
> human has a hard time telling if it's an 'i' or an 'l', or an 'h' or a
'b' (and so on).


  This is kind of like the problem that you have when you get a
confirmation code in SMS, and you can't tell between I's and l's etc
thanks to your mobile phone's display. But that doesn't mean the problem
is about verifying the person via SMS. They just need to filter / change
some letters used to make it a little more obvious (and maybe balance it
with longer strings).

What you're saying sounds nice, but I ask again - both of you - to post
some links to some of these high success rate AI bots (preferably php's)
with that algo you say is hard to beat.

  I'm certainly interested in this, because all this time I thought that
even if there were *some* applications that could defeat *some*
challenges, the Turing test was still up to the current times, but what
you're telling me totally contradicts that.
Since you both mentioned these things as certain existing facts, it
would be nice to get a reference to a URL (preferably more) so people
could just look at it (them) and try for themselves (and naturally play
around with them until they beat it - you say it's *very very* hard, I
say I have yet to see it - even if it's hard, it'd be worth my time to
experiment with it, others will probably agree who think this subject is
interesting). Yes, I googled, I didn't get 


> I suppose you *could* put up a picture of something, and ask "What is
this a picture of" - but then you need a sufficiently 
> large library of images that an attacker can't just download all of
them and have a human name each one once. And of 
> course, this has the danger that a user can be left saying: "WTF? Is
that an antelope or a gazelle?"....


  You're right, I don't like the idea of having a database of all the
possible answers, and the antelope/gazelle thing certainly got me pissed
on the captcha site. When I tested it, first it was a couple of bugs (I
didn't find neither insect, neither bug in the list), then it was
umbrellas with an exception picture - it was more like a pain in the
ass, a computer would have better luck by going through the option list
:P


  Eagerly waiting for examples,
php0t


Ps: these are what I found on google about the subject. They're nice,
but 1) they contain no code / tryout option, and some of them only focus
on solving certain captchas. (as I previously said, *some* apps, *some*
tests...)

http://www.comp.leeds.ac.uk/fyproj/reports/0405/Rice.pdf
http://algoval.essex.ac.uk/rep/textloc/IjdarSpecialFinal.pdf
http://bhiv.com/2005/09/30/defeating-diggs-captcha/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/